فا

‫ IDS13-J and IDS14-J

ID: IRCAR201502248
Date: 2015-02-27
 
IDS13-J. Use compatible character encodings on both sides of file or network IO
 
This rule will be discussed later.
 
IDS14-J. Do not trust the contents of hidden form fields
 
HTML allows fields in a web form to be visible or hidden. Hidden fields supply values to a web server, but do not provide the user with a mechanism to modify their contents. However there are techniques that attackers can use to modify these contents anyway. A web servlet that uses a GET form to obtain parameters can also accept these parameters through a URL. URLs allow a user to specify any parameter names and values in the web request.  Therefore, hidden form fields should not be considered any more trustworthy than visible form fields.
 
Noncompliant Code Example
The following servlet demonstrates a servlet that accepts a visible field and a hidden field, and echoes them back to the user. The visible parameter is sanitized before being passed to the browser, but the hidden field is not.
 
When fed the parameter param1, the web page displays the following:
However, an attacker can easily supply a value to the hidden parameter by encoding it in the URL as follows:
 
When this URL is provided to the browser, the browser displays:
 
Compliant Solution
This compliant solution applies the same sanitiation to the hidden parameter as is applied to the visible parameter:
 
Consequently, when the malicious URL is entered into a browser, the servlet produces:
Risk Assessment
Trusting the contents of hidden form fields may lead to all sorts of nasty things.
 
 
Ref:

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 9 اسفند 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0